From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes
Date: Wed, 11 Apr 2018 21:03:35 +0200 [thread overview]
Message-ID: <20180411190335.GB25859@x230> (raw)
In-Reply-To: <1523375764.5268.12.camel@linux.vnet.ibm.com>
Hi Mimi,
> > > > load_policy()
> > ...
> > > > cat $1 |
> > > > - while read line ; do
> > > > - {
> > > > - if [ "${line#\#}" = "${line}" ] ; then
> > > > - echo $line >&4 2> /dev/null
> > > > + while read line; do
> > > > + if [ "${line#\#}" = "${line}" ]; then
> > > > + echo "$line" >&4 2> /dev/null
> > > > if [ $? -ne 0 ]; then
> > > > exec 4>&-
> > > > return 1
> > > > fi
> > > > fi
> > > > - }
> > > Originally writing the policy was done one rule at a time, but hasn't
> > > been required for a long time. dracut and systemd 'cat' the policy
> > > directly to the pseudo file.
> > OK, let's simplify it to catting the content.
> Replacing the builtin policy with a new policy in the initramfs was
> considered safe. With commit 38d859f991f3 ("IMA: policy can now be
> updated multiple times") the policy can be extended multiple times,
> not only from the initramfs. For it to be safe to extend the IMA
> policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.
> These tests assume the policy does not need to be signed.
Is it a good idea to expect that policy must be signed also for older kernels
(kernels before 4.5)?
> Mimi
Kind regards,
Petr
next prev parent reply other threads:[~2018-04-11 19:03 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-14 15:57 [LTP] [RFC PATCH v2 0/4] Rewrite tests into new API + fixes Petr Vorel
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 1/4] security/ima: " Petr Vorel
2018-03-14 16:32 ` Petr Vorel
2018-03-27 19:12 ` Mimi Zohar
2018-03-29 8:59 ` Petr Vorel
2018-04-10 15:56 ` Mimi Zohar
2018-04-11 19:03 ` Petr Vorel [this message]
2018-04-11 20:03 ` Mimi Zohar
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 2/4] security/ima: Run measurements after policy Petr Vorel
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 3/4] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 8k Petr Vorel
2018-03-27 19:44 ` Mimi Zohar
2018-03-27 22:23 ` George Wilson
2018-03-29 6:18 ` Petr Vorel
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 4/4] ima/tpm: Various fixes Petr Vorel
2018-03-26 22:31 ` [LTP] [RFC PATCH v2 0/4] Rewrite tests into new API + fixes Mimi Zohar
2018-03-27 9:22 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180411190335.GB25859@x230 \
--to=pvorel@suse.cz \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox